configuration-as-code-1.15.jar: 2 vulnerabilities (highest severity is: 5.5)

[mend-for-github-com[bot]]

Vulnerable Library - configuration-as-code-1.15.jar

Manage Jenkins master configuration as code

Library home page: https://wiki.jenkins.io/display/JENKINS/Configuration+as+Code+Plugin

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/io.jenkins/configuration-as-code/1.15/3d7a55b195e12f5029f297f8dd35b27b4e3029a4/configuration-as-code-1.15.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (configuration-as-code version)	Remediation Possible**	Reachability
CVE-2019-10367	Medium	5.5	configuration-as-code-1.15.jar	Direct	1.27	✅
CVE-2022-23106	Medium	5.3	configuration-as-code-1.15.jar	Direct	io.jenkins:configuration-as-code:1.55.1	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2019-10367

### Vulnerable Library - configuration-as-code-1.15.jar

Manage Jenkins master configuration as code

Library home page: https://wiki.jenkins.io/display/JENKINS/Configuration+as+Code+Plugin

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/io.jenkins/configuration-as-code/1.15/3d7a55b195e12f5029f297f8dd35b27b4e3029a4/configuration-as-code-1.15.jar

Dependency Hierarchy: - :x: **configuration-as-code-1.15.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Due to an incomplete fix of CVE-2019-10343, Jenkins Configuration as Code Plugin 1.26 and earlier did not properly apply masking to some values expected to be hidden when logging the configuration being applied.

Publish Date: 2019-08-07

URL: CVE-2019-10367

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10367

Release Date: 2019-08-07

Fix Resolution: 1.27

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2022-23106

### Vulnerable Library - configuration-as-code-1.15.jar

Manage Jenkins master configuration as code

Library home page: https://wiki.jenkins.io/display/JENKINS/Configuration+as+Code+Plugin

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/io.jenkins/configuration-as-code/1.15/3d7a55b195e12f5029f297f8dd35b27b4e3029a4/configuration-as-code-1.15.jar

Dependency Hierarchy: - :x: **configuration-as-code-1.15.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Jenkins Configuration as Code Plugin 1.55 and earlier used a non-constant time comparison function when validating an authentication token allowing attackers to use statistical methods to obtain a valid authentication token.

Publish Date: 2022-01-12

URL: CVE-2022-23106

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2022-01-12

Fix Resolution: io.jenkins:configuration-as-code:1.55.1

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

---

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.